SDR and its role in cybersecurity

The need to send data or voice wirelessly between people, between machines (M2M, Machine to Machine) or between people and machines (HMC, Human-Machine Communication), has entailed the development of multiple systems, technologies and protocols, both within and outside industrial environments, the main ones being as described in the study on ‘Cybersecurity in Wireless Comunications in Industrial Enviroments’.

Each piece of technology and protocol has its own features and requires a system with specific hardware or software to operate. This ceases to be when it comes to SDR (Software Defined Radio), Software Radio or RDI (a Radioelectric system determined by computer programs), according to the ITU (International Telecommunication Union).

Concept

An SDR can be defined, according to the Wireless Innovation Forum, in collaboration with the IEEE, as “a type of radio in which some or all of the physical layer functions are software defined”. In other words, an SDR is a reprogrammable or reconfigurable radio, in which the hardware can perform different operations by modifying its configuration using software or firmware.

Hence, an SDR is not a radio, whether analogue or digital. The differences lie in the fact that an analogue radio does not use digital signals at any stage and, moreover, like a digital radio in this case, it requires that its factory hardware to be replaced by different hardware to be able to perform operations other than the pre-established ones.

Operation

The modes of communication that SDR models can offer are:

• Simplex, if the SDR can only act as a receiver or transmitter, without the option of switching.
• Half-duplex, when the SDR can send or receive signals, but not simultaneously.
• Full-duplex, if transmission and reception can be done simultaneously.

On the other hand, despite the different architectures (hardware or software) available on the market, they all share their own sequence of stages in how an SDR operates, which corresponds, in signal reception mode, to the following:

- Example of hardware architecture for a receiver (in black)/transmitter (in blue) SDR based on an FPGA and half-duplex communication. -

• Stage 0: Reception of the radio frequency (RF) signal that carries the information to be processed, using an antenna with appropriate specifications (polarisation, radiation pattern, bandwidth, etc.) for optimal tuning of the signal.
• Stage 1: Signal conditioning tuning. The purpose of this stage is to tune the analogue signal to its characteristic frequency, using a software-controlled frequency mixer, and by adapting it to the characteristics of the analogue-digital converter (ADC). In this stage, the following operations are carried out: amplification, filtering and frequency conversion to intermediate frequency (IF).
• Stage 2: Analogue-digital conversion of the analogue signal into IF, thanks to a high-speed ADC that performs the following operations: sampling, retention, quantification and binary coding.
• Stage 3: Generation and conditioning of the I/Q signal. The purpose of this stage is to break down the digital signal into two: the I signal (in phase) and the Q signal (in quadrature), and to adapt them both to the characteristics of the later communications processor or bus, in terms of bandwidth, transfer speed and processing speed. The operations to be executed, and which are executed by a DDC (Digital Down Converter), are: conversion from IF to baseband, filtering and decimating (reduction of the sampling rate). Generating the I/Q signal is necessary, since it provides more accurate data, in terms of amplitude, frequency and phase, and prevents errors in the subsequent processing.
• Stage 4: Data processing. In this stage, the information in the I/Q signal is extracted, analysed and presented. This information may contain voice, data related to an image or a video, text, or a combination thereof. The following operations may be carried out: reverse engineering, demodulation, decoding, FFT, spectral analysis or decryption, among others, depending upon the associated software. Depending on the SDR’s hardware architecture, the processing load may be:
  • Not distributed, that is, all operations are performed by a General Purpose Processor (GPP) thar runs at least one specific piece of software, such as SDRSharp, GNU Radio, HDSDR o BaseStation, among others.
  • Distributed among the GPP, which runs the specific software, and an ASIC (Application-Specific Integrated Circuit), a DSP (Digital Signal Processor) and an FPGA (Field Programmable Gate Array) configured according to a firmware, which executes one or several operations, releasing the GPP from doing them.

Finally, the information obtained can be forwarded to another piece of software or another device, by means of a sound card, virtual cable or communication ports (Ethernet, USB, etc.), and can even create online servers such as those offered by the manufacturer Airspy. Moreover, exporting information to a text file is also possible as long as the software used permits it.

- Example of a user interface offered by the free and open source software, SDRSharp. -

If the SDR acts as a transmitter, the stages to be carried out are the same, but in reverse order and opposite operations are carried out, among which the following stand out: the digital-analogue converter (DAC), the DUC (Digital Up Converter), and CFR linearization (Crest Factor Reduction) and DPD (Digital Pre-Distortion).

Possible threats with SDR

An SDR can be used to threaten wireless communications, in both their reception mode and in their transmission mode. Depending on the capabilities the hardware offers (such as working frequencies) and software that is being run (including plugins), the attack vectors may include:

• Sniffing. Es una técnica que la SDR lleva a cabo en modo recepción y que afecta a la confidencialidad de una transmisión, tanto si solo está codificada, como si también está cifrada, siempre y cuando se disponga de las herramientas software para ello. A parte del propio mensaje, también es posible obtener: la identidad del emisor y receptor, instante de establecimiento y desconexión de la transmisión, nivel de intensidad de la señal, tipo de modulación, ancho de banda en frecuencia utilizado, etc.
• Ataque de canal lateral (side-channel attack). It consists of collecting and analysing information from physical parameters, such as noise or radiation, from the integrated circuits as they carry out their processing operations. The SDR, in receive mode, carries out this non-invasive attack by affecting the confidentiality of the transmission, which is very difficult to detect. An example is tracking of RF emissions from hardware wallets.
• Jamming intentional. It is a denial-of-service (DoS) attack in which transmission is blocked from either the receiving or the emitting end. In this case, the SDR emits RF signals to insert noise into the radio channel or channels used. This attack affects the availability of information. An example would be jamming over ZigBee networks.
• Spoofing. Knowing the features of the communication protocol, a false, yet valid, signal can be generated using SDR, for the attacked receiving equipment. With the false signal, it is possible to send erroneous data or even inject malicious code to take total or partial control of the receiver, altering how it operates, degrading the transmission or making it vulnerable to other attacks. An example is the spoofing on the GNSSs.
• Replay attack. Using this attack, the SDR captures a transmission, copies it, and later forwards it. It can thus become a legitimate device (spoofing) within a communications network or it simply sends the copies, degrading the communication or even causing a flood DoS attack. It would have an effect in terms of availability or confidentiality.
• Flood attack. Whether through spoofing or a replay attack, the receiver’s availability is compromised by an attacking sending SDR, upon receiving a large number of messages in such a short time that it cannot process them.
• Reinjection attack. It is an attack similar to the replay attack, but in this case the message is modified before being forwarded. The integrity and confidentiality of a transmission is thus compromised.

Sometimes an attacker requires a combination of techniques to succeed, as with the Rolljam system, which combines jamming and replay attacks.

Protections through SDR

The defensive options an SDR can offer against cyberattacks are also limited by its operating mode, emission or reception, and by the capabilities offered by the associated hardware and software.

The outstanding function in cyber defence is monitoring of wireless communications. This monitoring can be focused on the radio frequency spectrum, detecting signals that are suspicious because of frequency peaks, noise, origin of the interference (radio direction finding) or communication failures, using an FFT display or algorithms designed for that purpose. It can also focus on analysing the message that is carried by the RF signal, as would be done in a sniffing attack.

We must mention the fact that, in certain circumstances, the techniques used in cyberattacks can also be used as a protection in cyber defence. This is true of, for example, using the SDR to carry out spoofing or jamming GNSS attacks, and thus protecting a company’s assets if they are located.

Lastly, an SDR allows equipment to be duplicated and thus make a corporate communications system more robust, thus guaranteeing the availability of information in the event of equipment failures or interferences in reception.

Conclusion

Software-Defined Radio stands out for being a flexible system in terms of hardware, since it offers the option of operating with different wireless communication technologies without needing to buy specific equipment for each of them, and in terms of software, since it can be associated with different types of software, whether freeware or proprietary software, and be they free or paid.

Likewise, it is an economical system, not only thanks to its flexibility, but also due to the low cost of some models, such as dongles R820T2 (R860 coming soon) + RTL2832U, which makes the SDR accessible to anybody. Moreover, the option of updating remotely and quickly, to correct errors or vary parameters, is a key aspect in matters of security, maintenance and equipment availability.

The objective pursued with the SDR is that a user should establish communication when they require it, with whom they need to do so, and according to the protocol provided for that communication. Telecommunications companies are currently beginning to install SDR technology and there is a large community dedicated to developing new applications, such as the forum RTL-SDR.COM, where new content is published frequently.